Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I quickly shut down my computer how serious was the damage?


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lezalit

Lezalit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 14 December 2016 - 05:13 PM

Blushing and with a bowed head I join the row of victims here. Although skeptical I double-clicked a script-file in an e-mail attachment apparently from the post office. Nothing happened except that my hard disk started working intensely. I became worried and shut down my computer after a minute. Started the computer again shortly after and immediately saw a ransom message, all I remember was something like “Your files have been encrypted…” and “Cryptolocker”, I pressed the off-button and held it down till everything was quiet and screen black.

 

In total, the computer was running for some two minutes in two sessions with the ransomware. I wonder if the ransomware managed to finish its work in that time, and if there is something I should do before booting up the computer again. I obviously do not want the process to continue and finish what it started.

 

Supposing encrypting was not finished, what about booting in safe mode? Malwarebytes Anti-Malware is already installed on that computer, but unfortunately, it is the free version, which does not block ransomware. It should be able to clean ransomware that is already on the computer, though.

 

Or what about using boot disks? It has been suggested that boot disks may clean the computer without starting the operating system.

http://www.pcworld.com/article/243818/security/how-to-remove-malware-from-your-windows-pc.html

A Live Linux boot disk will let me inspect the folders and files to evaluate the extent of damage – as far as I understand. It would also allow me to copy an encrypted file and a ransom letter to send to ID Ransomware.

 

Another possibility could be to take out the disk and mount it from another PC – to see how much is encrypted.

 

My PC was a fairly good gaming PC some four years ago - and still is, eight core processor, etc. Windows 7. One SSD and one classic HD. There are some 20.000 jpg-files on the HD.

 

There are a couple of other posts from people who were quick to turn off their PC, e.g.:

https://www.bleepingcomputer.com/forums/t/549016/torrentlocker-support-and-discussion-thread-cryptolocker-copycat/page-7

(post # 98, dated 27 November 2014)

 

Any suggestions what to do before I start my infected computer?

 

Thanks in advance.



BC AdBot (Login to Remove)

 


#2 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 December 2016 - 05:51 PM

Do you have backups? (better yet, a complete backup system image from a recent time before you clicked the ransoming/Cryptolocker file)

 

MBAM will likely remove the source of the infection, but, it will not bring those original files back.


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#3 Lezalit

Lezalit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 15 December 2016 - 01:31 AM

Thanks for your quick reply.

 

I backed up all my datafiles some time ago on an external hard disk. No backp of system files or program files though. I guess most of these can be repaired/reinstalled. No backup system image.  

 

My main question now is if I should do something before I turn on my ransomed computer.

 

This forum contains an impressing amount of info of what to do next!

 

 

Regards.



#4 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 15 December 2016 - 02:50 AM

Id boot the computer withHiren's boot cd and purge all with a zero bite formatter + full reinstall its that simple.

Smart man has backups :whistle:



#5 Lezalit

Lezalit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 15 December 2016 - 05:01 AM

Thanks for the tip on Hirens boot CD. I need to find out more about zero byte formatter, never heard about it before - not that computer savvy.

Regards

#6 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 15 December 2016 - 10:40 AM

Oups typo, should be zero bit formater not byte,my bad.

Any ways just go down the list to hard disk tools, things like:

 

Active Kill Disk 4.1.2393 Securely overwrites and destroys all data on physical drive.

Darik's Boot and Nuke (DBAN) 1.0.7 Completely deletes the contents of any hard disk it can detect.

DiskWipe 1.2 Securely erases the contents of a disk replacing it with random data or leaving the drive completely blank.

 

Just pick one, i tend to like killdisk my self.

 

https://www.hiren.info/pages/bootcd

 

http://www.hirensbootcd.org/download/

 

might as well take a copy of this too and burn it.

 

http://www.ultimatebootcd.com/



#7 chalup

chalup

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 15 December 2016 - 12:16 PM

I wouldn't completely wipe the drive without trying to see what damage was done..



#8 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 15 December 2016 - 03:00 PM

Topic should be moved then to the malware pro part of the forum then or start a new topic thier.

They can help you more then i can then, my self id just punch the computer past every know AV and rootkit detecter/remover ~ mallwere detecter and call it a day, if the Os dies in the prosees or i lose some files guess thats life.

Im a machine at rebuilding windows so i don't cair my self if and when windows bombs.

As well you should never have everything on one drive on the computer, makes cleaning up a mess hell.



#9 chalup

chalup

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 15 December 2016 - 04:04 PM

Topic should be moved then to the malware pro part of the forum then or start a new topic thier.

They can help you more then i can then, my self id just punch the computer past every know AV and rootkit detecter/remover ~ mallwere detecter and call it a day, if the Os dies in the prosees or i lose some files guess thats life.

Im a machine at rebuilding windows so i don't cair my self if and when windows bombs.

As well you should never have everything on one drive on the computer, makes cleaning up a mess hell.

 

Why would it be moved when he is infected with ransomware and posted in the ransomware forum?



#10 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 15 December 2016 - 04:09 PM

O'sorry by bad, brain fart, ill stop talking now and lets the BC malware pros take over ;)


Edited by shadow_647, 15 December 2016 - 04:10 PM.


#11 Lezalit

Lezalit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 16 December 2016 - 04:33 PM

Here is an update:

 

I started with Hiren's Boot CD on the infected computer as recommended. It starts "Mini XP" OS and contains Malwarebytes Anti-Malware. However, when I started MBAM there was a message "This program may not work well from Mini XP". I realised the version of MBAM was from 2012, as were the database. I was not able to get an Internet-connection to update it. I ran MBAM anyway and it found something, but I did not readily identify it as ransomware. I decided to leave it, ran Kaspersky Recue Disk 10.0. (I had not yet turned on my infected PC since I saw the ransom letter three days earlier.)

 

KRD found two instances of the script-file from the e-mail from the post office. These were deleted.

On a side note: KRD presented a warning that it might corrupt windows (don't remember exact wording). True, it did. When I started the infected PC in safe mode it insisted on doing a check for consistency errors. This check halted for a long time on "Correcting error in index $I30 for file 5107", perhaps up to one hour until it continued. So spent several hours with this. 

 

I ran MBAM and MSE in safe mode, they didn't find anything. Finally, I booted normally and ran the same again. Ransom letters persistently poped up. Long after the virus scans were finished I caught a glimpse of a message from MSE saying something like "ijacka.sys removed", not sure of the text, but I was puzzled there was no h before the i. No more ransom letters popping up after this.

 

Most important: When checking my folders I realised that very few files had been encrypted. Turning off the PC quickly must have been effective!

I will upload the ransom note and a corrupted file to ID Ransom.

 

MSE is still working behind the scenes: Twice tonight I have been asked for permission by MSE to send script files located in Temporary Internet Files to MS for analysis.

 

------------------

 

Got an automatic reply from ID Ransom immediately: It is (was) Crypt0L0cker.


Edited by Lezalit, 16 December 2016 - 04:42 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 16 December 2016 - 09:40 PM

....When checking my folders I realised that very few files had been encrypted. Turning off the PC quickly must have been [font=Arial, sans-serif]effective...Got an automatic reply from ID Ransom immediately: It is (was) Crypt0L0cker.

 
Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...What should you do when you discover your computer is infected

When you discover that a computer is infected...the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files.

If you discover that your computer is infected...you should immediately shutdown your computer and if possible create a copy, or image, of your hard drive. This allows you to save the complete state of your hard drive in the event that a free decryption method is developed in the future....If you do not plan on paying the ransom and can restore from a backup, then scan your computer with an anti-virus or anti-malware program and let it remove everything.

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus. Disinfection will not help with decryption of any files affected by the ransomware.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes 3.0, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

Since you have identified the infection as Crypt0L0cker, there is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users